Effective Information Sharing Legislation Needed to Combat Cyber Attacks

posted by in Cybersecurity July 22, 2015
Jul 22

It’s not hard today to find news accounts of how America’s digital networks are under siege.  Cyber criminals are at work, hoping to extract valuable data from consumers, businesses, and government organizations and to shut down or disrupt our critical infrastructure. One way to combat these attacks is allowing businesses and the government to share information about possible cyber threats in order to more effectively respond.  Unfortunately, current legal barriers discourage collaboration, putting more consumer data and our most critical infrastructure in harm’s way.

To spur action on this front, I sent a letter on behalf of BSA | The Software Alliance to Senate leadership, encouraging them to take up cyber threat information sharing legislation that will help both businesses and government combat cyber threats.

The Cybersecurity Information Sharing Act of 2015 (S.754), introduced by Sen. Richard Burr (R-NC), has bipartisan support and deserves a robust debate before the full Senate. The Senate Intelligence Committee favorably reported the bill out of committee in April, and the House of Representatives has already taken necessary steps by overwhelmingly passing measures with similar goals: the Protecting Cyber Networks Act (HR 1560) and the National Cybersecurity Protection Advancement Act (HR 1731). The Senate has a valuable opportunity to take action on this key legislation now.

Enacting effective cyber threat information sharing legislation will allow public- and private-sector entities to voluntarily share valuable threat data, best practices, and vulnerabilities while protecting consumer privacy. BSA previously outlined six key tenets of effective information sharing legislation.  Increased situational awareness will enhance the ability of businesses, consumers, and operators of critical infrastructure to better defend themselves against attacks and intrusions.

Cybersecurity threats change on a daily basis, and BSA member companies are at the forefront of these battles. BSA urges the Senate to pass legislation that gives a helping hand to these companies and provides government necessary tools in the continuing fight against cyber crime.

Accepting Director Comey’s Call for a Public Debate on Encryption

posted by in Cybersecurity, Privacy July 8, 2015
Jul 08

FBI Director James Comey published a column on July 6, 2015, calling for a robust public debate about the benefits and costs of strong encryption that protects users’ privacy and overall network security. I join Director Comey in that call.

The law enforcement community has raised legitimate concerns about their ability to access information stored electronically.  Our member companies are fully committed to the important mission of law enforcement in keeping Americans safe and investigating criminal activity, and stand ready to do their part. But companies need both clarity about their obligations and the freedom to innovate to meet users’ demands. And we need to ensure that responsibilities imposed on technology companies do not endanger the security of our users’ information, or endanger network security more broadly.

Director Comey writes that the problem with strong encryption is it makes it easier for “bad people” to communicate.  This may well be true, and is a good reason for a public dialogue. Yet as we discuss this issue, let’s remember that encryption also is what empowers good people in repressive regimes to spread freedom and hope. It is what protects our bank records, our health records, and other personal information. And, it is what we need to fend off cyberattacks. If we require tech companies to create “back doors” into our technology, we will be weakening our defenses and providing a gift to cyber-criminals.

The issues involved in encryption are complex and require consideration of all sides. Just today a group of prominent cryptographers published a very detailed reported warning against back doors and other ways to weaken encryption. “Keys Under the Doormat” should be mandatory reading for all of us.

As Director Comey prepares to testify before the Senate, I encourage him to focus on solutions that maintain our network security and users’ personal information.

The State of Cybersecurity in APAC

posted by in Cybersecurity June 30, 2015
Jun 30

News of cyber attacks dominate today’s headlines. No country is safe from malicious cyber actors. In a world where cyber threats are constant, it is important to understand both how governments are addressing cybersecurity challenges and steps they can take to do better.

Today, BSA | The Software Alliance released its first Asia-Pacific (APAC) Cybersecurity Dashboard, an in-depth study of 10 APAC markets and their approaches to cybersecurity. Our goal is to inspire government leaders in each market to prioritize cybersecurity as an issue of national importance. This APAC Dashboard  is a companion to the European Union Cybersecurity Dashboard, released by BSA earlier this year.

The Dashboard’s findings are clear: the 10 markets examined in APAC have been slow to produce comprehensive national cybersecurity strategies and implement the legal frameworks needed for security and critical infrastructure protection. Yet there are tremendous opportunities to improve the systems needed to protect against, prevent, mitigate, and respond to cyber attacks.  Doing so will bolster enterprise, government, and consumer confidence in cutting edge Internet-enabled technologies and services, driving economic growth and productivity, and will reduce the costs and risks associated with growing cyber threats.

BSA examined the cybersecurity policies and practices of Australia, China, India, Indonesia, Japan, South Korea, Malaysia, Singapore, Taiwan, and Vietnam. Each country’s cybersecurity policies were reviewed with specific focus on the legal foundations for cybersecurity, operational capabilities, public-private partnerships, sector-specific cybersecurity plans, and cybersecurity education and awareness.

The Dashboard shows most governments aren’t leveraging the expertise and knowledge of the private sector to improve their approach to cybersecurity. Additionally, several markets impose local standards and testing requirements that are inconsistent with truly international approaches to cybersecurity.

The good news is that all of the markets currently have national computer emergency response teams (CERTs), an important step in ensuring that governments can respond to cyber attacks quickly and effectively. Additionally, almost all of the APAC markets have dedicated significant resources to cybersecurity education, including innovative cybersecurity awareness programs aimed at the general public.

The full study, along with detailed summaries of the findings for all 10 APAC markets, is available at http://www.bsa.org/APACCybersecurity. As national governments update their frameworks and as we collect new information, we intend to update the APAC Cybersecurity Dashboard online to show progress across the relevant areas. We invite any and all interested parties to review the results and contact us with information regarding updates and changes.

You Can Do Amazing Things with Software

posted by in Industry June 1, 2015
Jun 01

Why does software matter?

As new technological advances propel us forward, it’s easy to take for granted the growing role software is playing for all of us.

Today’s software functions so consistently and seamlessly, we sometimes don’t even realize the many ways it’s improving our daily lives. Yet it is at the very heart of innovation all around us.

Fundamentally, software is revolutionizing the way we live our lives.

We want to spotlight the countless ways people use software to do amazing things and to help change our world for the better.

With software:

  • Teachers are connecting classrooms with real-time “student pen-pals” around the globe.
  • Doctors are saving more premature babies than ever before.
  • Engineers are making buildings and bridges safer and stronger — and more beautiful.
  • Astronauts are pushing the limits of what we know about our galaxy.
  • World-class athletes and novice runners are maximizing their workouts and nutrition.
  • Parents can talk to their children face-to-face in any part of the world.

And the great news?  Something even more exciting than the progress above is the enormous potential for us all to do even greater things with software in the days to come.  What makes software so extraordinary is how you, the user, are putting it to use.  We can all be innovators.

You can do amazing things with software.  You already are.  It’s today’s reality, and our daily lives are all the better for it.

Software: Bridging Imagination
We are excited to spread this message, so central to so many lives today.  But the dialogue shouldn’t stop there.  Use #WithSoftware to tell us about the many ways big and small that you’re using software to make your life better.

We hope you’ll learn more about the truly amazing things you can do with software at withsoftware.org.  We see such infinite promise in the future, and hope you do, too.

Malware Threats from Unlicensed Software: The Critical First Step for Cyberrisk Management

posted by in Compliance and Enforcement April 23, 2015
Apr 23

Waking up to find your company on the front page news and at the center of a data breach is every CEO’s worst nightmare—and for a number of businesses, it has become reality. Today, the threats from cybercrime are real and frightening, and the risks are extraordinary. Cybersecurity is an incredibly complex issue and business leaders are grappling with how to best protect their businesses, understand the new business vulnerabilities, and identify what steps they can take to protect themselves and their customers from becoming a victim of cybercrime.

There is a strong case for organizations to put protection from malware at the top of their risk agenda. In the past year, 43% of companies experienced a data breach. The average organization experiences a malware event every three minutes, and the costs of dealing with that malware can be astronomical. The International Data Corporation (IDC) estimates that enterprises spent $491 billion in 2014 as a result of malware associated with counterfeit and unlicensed software.

A threshold step to mitigating risk is gaining an understanding of your own network and if the software you are using is genuine and fully licensed. Unfortunately, many businesses are failing to take this basic and critical first step to protect themselves.

It has long been suspected that there is a connection between unlicensed software and cybersecurity threats. A new study commissioned by BSA | The Software Alliance and conducted by IDC confirms this as fact.

The study compared rates of unlicensed software installed on PCs with a measure of malware incidents on PCs across 81 countries. Given that 43% of the software installed on PCs globally in 2014 was unlicensed, it’s clear that many businesses are at risk. The findings were sobering. The implication for governments, enterprises and consumers is clear: assessing what is in your network and eliminating unlicensed software could help reduce the risk of cybersecurity incidents.

Fortunately there are proven best practices available to tackle the challenges around software licensing.  The world class standard for Software Asset Management is ISO/IEC 19770-1:2012. The importance of implementing internal controls for legal use of technology, including software, has become so critical that COSO now recommends it in its revised Internal Control – Integrated Framework.

While putting controls in place may sound simple, many businesses are missing this first step. Only 35% of companies have written policies requiring the use of properly licensed software. For CEOs, now is the time to start implementing best practices that will help mitigate security risks and avoid your business becoming tomorrow’s news headline. For more information on additional steps you can take, visit BSA’s website.

Malware Study

This post originally appeared on Risk Management Monitor on April 16, 2015.

Time for Congress to Act on Cyber Threat Information Sharing

posted by in Cybersecurity April 21, 2015
Apr 21

Both public and private sector entities fall victim to cyber criminals and other malicious actors each day. Sharing information about cyber threats is critical to prevent and combat these attacks.

Over the past several years, Congress and the courts have taken steps to clarify and promote information sharing. Last year, the Department of Justice and Federal Trade Commission provided guidance clarifying that private entities can share cyber threat information without raising antitrust concerns — helping to pave the way for more timely cyber threat information sharing. That was a helpful step but there is more that can be done.
(more…)

Strengthening the Patent System by Ending Patent Abuse

posted by in Intellectual Property March 19, 2015
Mar 19

Patent reform is top of mind on Capitol Hill this month as several Committees hold hearings to discuss the need for patent reform. BSA was honored to testify today at the Senate Committee on Small Business and Entrepreneurship. My testimony underscored the need for legislative action to curb abuses in the patent system.

The Small Business Committee is the ideal venue for an organization like BSA to present our views. Although our members range in size – from very small to large, each of them was founded by one or two individuals with passion, an idea, and a vision for making that idea a marketplace reality.
(more…)

Closing the Gaps in EU Cybersecurity: Let’s Get It Right

posted by in Cybersecurity March 5, 2015
Mar 05

Bolstering cybersecurity is a challenge facing boardrooms and government officials around the world. While technology is enabling us to be smarter about how we communicate, create, and solve problems, it has also introduced new risks which must be managed.

In Brussels next week, Member States will meet in Coreper as they continue to work toward consensus on a Network and Information Security (NIS) Directive aimed at harmonizing cybersecurity laws across Europe. That is no small feat when negotiating among 28 countries. A report released this week by BSA charts just how big a task they have before them. (more…)

It’s Time to Support Software Industry Priorities

posted by in Intellectual Property March 3, 2015
Mar 03

The global software industry – exemplified by the unparalleled success of American-born innovation – is changing the way we live. Software creates jobs. It sustains vibrant economies. And it enables us to do amazing things by connecting human ingenuity with technology to not only improve how we live our lives every day but also turn remarkable new ideas into reality.

In recent years it’s been a challenge to foster cooperation and deal making in Washington. However, White House and congressional leaders seem eager to change this dynamic and demonstrate they can work together to pass legislation. This week, the General Counsels of BSA | The Software Alliance member companies are coming to Washington to urge action by Congress and the Obama Administration on a bipartisan, achievable, pro-growth agenda focusing on patent reform, government access to private data, and removing trade barriers. These issues don’t require new spending or changes in the tax code. But they are common sense, drive economic growth, and — with the right support – are achievable this year. (more…)

Malware Threats from Unlicensed Software: Real or Imagined?

posted by in Compliance and Enforcement, Cybersecurity February 18, 2015
Feb 18

It has long been assumed that there is a connection between unlicensed software and cyber security threats. In fact, BSA’s most recent Global Software Survey found that computer users cite exposure to cybersecurity threats from malware as the chief reason not to use unlicensed software.

Malware_ThreatsTo test whether this relationship is indeed real or imagined, BSA commissioned a new analysis from global research firm IDC comparing rates of unlicensed software installed on PCs with a measure of malware incidents on PCs across 81 countries. The results show there is a strong positive correlation between unlicensed software and malware encounters – the higher the unlicensed software rate in a country, the more malware (more…)